6 files changed, 382 insertions, 48 deletions
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 0947657ca7..15a7e118ff 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -32,6 +32,7 @@
 	     v2_crls = true,
 	     ecc_certs = false,
 	     issuing_distribution_point = false,
+	     crl_port = 8000,
 	     openssl_cmd = "openssl"}).
 
 
@@ -57,6 +58,8 @@ make_config([{default_bits, Bits}|T], C) when is_integer(Bits) ->
     make_config(T, C#config{default_bits = Bits});
 make_config([{v2_crls, Bool}|T], C) when is_boolean(Bool) ->
     make_config(T, C#config{v2_crls = Bool});
+make_config([{crl_port, Port}|T], C) when is_integer(Port) ->
+    make_config(T, C#config{crl_port = Port});
 make_config([{ecc_certs, Bool}|T], C) when is_boolean(Bool) ->
     make_config(T, C#config{ecc_certs = Bool});
 make_config([{issuing_distribution_point, Bool}|T], C) when is_boolean(Bool) ->
@@ -423,7 +426,7 @@ ca_cnf(C) ->
      "[crl_section]\n"
      %% intentionally invalid
      "URI.1=http://localhost/",C#config.commonName,"/crl.pem\n"
-     "URI.2=http://localhost:8000/",C#config.commonName,"/crl.pem\n"
+     "URI.2=http://localhost:",integer_to_list(C#config.crl_port),"/",C#config.commonName,"/crl.pem\n"
      "\n"
 
      "[user_cert_digital_signature_only]\n"
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 8e3d2e4b80..1da4e88077 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -115,12 +115,14 @@ options_tests() ->
      reuseaddr,
      tcp_reuseaddr,
      honor_server_cipher_order,
-     honor_client_cipher_order
+     honor_client_cipher_order,
+     ciphersuite_vs_version,
+     unordered_protocol_versions_server,
+     unordered_protocol_versions_client
 ].
 
 api_tests() ->
-    [new_options_in_accept,
-     connection_info,
+    [connection_info,
      peername,
      peercert,
      peercert_with_client_cert,
@@ -138,7 +140,9 @@ api_tests() ->
      ssl_accept_timeout,
      ssl_recv_timeout,
      versions_option,
-     server_name_indication_option
+     server_name_indication_option,
+     accept_pool,
+     new_options_in_accept
     ].
 
 session_tests() ->
@@ -187,7 +191,11 @@ error_handling_tests()->
      tcp_error_propagation_in_active_mode,
      tcp_connect,
      tcp_connect_big,
-     close_transport_accept
+     close_transport_accept,
+     recv_active,
+     recv_active_once,
+     recv_error_handling,
+     dont_crash_on_handshake_garbage
     ].
 
 rizzo_tests() ->
@@ -240,6 +248,14 @@ end_per_group(_GroupName, Config) ->
     Config.
 
 %%--------------------------------------------------------------------
+init_per_testcase(Case, Config) when Case ==  unordered_protocol_versions_client;
+				     Case == unordered_protocol_versions_server->
+    case proplists:get_value(supported, ssl:versions()) of
+	['tlsv1.2' | _] ->
+	    Config;
+	_ ->
+	    {skip, "TLS 1.2 need but not supported on this platform"}
+    end;
 init_per_testcase(no_authority_key_identifier, Config) ->
     %% Clear cach so that root cert will not
     %% be found.
@@ -330,14 +346,15 @@ new_options_in_accept() ->
     [{doc,"Test that you can set ssl options in ssl_accept/3 and not tcp upgrade"}].
 new_options_in_accept(Config) when is_list(Config) -> 
     ClientOpts = ?config(client_opts, Config),
-    ServerOpts = ?config(server_opts, Config),
+    ServerOpts0 = ?config(server_dsa_opts, Config),
+    [_ , _ | ServerSslOpts] = ?config(server_opts, Config), %% Remove non ssl opts
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
 					{from, self()}, 
-					{ssl_opts, [{versions, [sslv3]},
-						    {ciphers,[{rsa,rc4_128,sha}]}]}, %% To be set in ssl_accept/3
+					{ssl_extra_opts, [{versions, [sslv3]},
+							  {ciphers,[{rsa,rc4_128,sha}]} | ServerSslOpts]}, %% To be set in ssl_accept/3
 					{mfa, {?MODULE, connection_info_result, []}},
-					{options, ServerOpts}]),
+					{options, proplists:delete(cacertfile, ServerOpts0)}]),
     
     Port = ssl_test_lib:inet_port(Server),
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
@@ -396,6 +413,7 @@ protocol_versions() ->
 
 protocol_versions(Config) when is_list(Config) -> 
     basic_test(Config).
+
 %%--------------------------------------------------------------------
 empty_protocol_versions() ->
     [{doc,"Test to set an empty list of protocol versions in app environment."}].
@@ -1154,6 +1172,57 @@ close_transport_accept(Config) when is_list(Config) ->
 	Other ->
 	    exit({?LINE, Other})
     end.
+%%--------------------------------------------------------------------
+recv_active() ->
+    [{doc,"Test recv on active socket"}].
+
+recv_active(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = 
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+				   {from, self()}, 
+				   {mfa, {?MODULE, try_recv_active, []}},
+				   {options,  [{active, true} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = 
+	ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+				   {host, Hostname},
+				   {from, self()}, 
+				   {mfa, {?MODULE, try_recv_active, []}},
+				   {options, [{active, true} | ClientOpts]}]),
+        
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
+recv_active_once() ->
+    [{doc,"Test recv on active socket"}].
+
+recv_active_once(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = 
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+				   {from, self()}, 
+				   {mfa, {?MODULE, try_recv_active_once, []}},
+				   {options,  [{active, once} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = 
+	ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+				   {host, Hostname},
+				   {from, self()}, 
+				   {mfa, {?MODULE, try_recv_active_once, []}},
+				   {options, [{active, once} | ClientOpts]}]),
+        
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
 dh_params() ->
@@ -1177,7 +1246,7 @@ dh_params(Config) when is_list(Config) ->
 			   {from, self()}, 
 			   {mfa, {ssl_test_lib, send_recv_result_active, []}},
 			   {options,
-			    [{ciphers,[{dhe_rsa,aes_256_cbc,sha,ignore}]} | 
+			    [{ciphers,[{dhe_rsa,aes_256_cbc,sha}]} | 
 				       ClientOpts]}]),
     
     ssl_test_lib:check_result(Server, ok, Client, ok),
@@ -1276,7 +1345,7 @@ tcp_connect() ->
 tcp_connect(Config) when is_list(Config) ->
     ServerOpts = ?config(server_opts, Config),
     {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-    TcpOpts = [binary, {reuseaddr, true}],
+    TcpOpts = [binary, {reuseaddr, true}, {active, false}],
 
     Server = ssl_test_lib:start_upgrade_server_error([{node, ServerNode}, {port, 0},
 						      {from, self()},
@@ -1302,6 +1371,7 @@ tcp_connect_big() ->
     [{doc,"Test what happens when a tcp tries to connect, i,e. a bad big (ssl) packet is sent first"}].
 
 tcp_connect_big(Config) when is_list(Config) ->
+    process_flag(trap_exit, true),
     ServerOpts = ?config(server_opts, Config),
     {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     TcpOpts = [binary, {reuseaddr, true}],
@@ -1327,7 +1397,9 @@ tcp_connect_big(Config) when is_list(Config) ->
 		{Server, {error, timeout}} ->
 		    ct:fail("hangs");
 		{Server, {error, Error}} ->
-		    ct:log("Error ~p", [Error])
+		    ct:log("Error ~p", [Error]);
+		{'EXIT', Server, _} ->
+		    ok	 
 	    end
     end.
 
@@ -2559,6 +2631,81 @@ honor_cipher_order(Config, Honor, ServerCiphers, ClientCiphers, Expected) ->
     ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
+ciphersuite_vs_version(Config) when is_list(Config) ->
+    
+    {_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    ServerOpts = ?config(server_opts, Config),
+    
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {active, false}]),
+    ok = gen_tcp:send(Socket, 
+		      <<22, 3,0, 49:16, % handshake, SSL 3.0, length
+			1, 45:24, % client_hello, length
+			3,0, % SSL 3.0
+			16#deadbeef:256, % 32 'random' bytes = 256 bits
+			0, % no session ID
+			%% three cipher suites -- null, one with sha256 hash and one with sha hash
+			6:16, 0,255, 0,61, 0,57, 
+			1, 0 % no compression
+		      >>),
+    {ok, <<22, RecMajor:8, RecMinor:8, _RecLen:16, 2, HelloLen:24>>} = gen_tcp:recv(Socket, 9, 10000),
+    {ok, <<HelloBin:HelloLen/binary>>} = gen_tcp:recv(Socket, HelloLen, 5000),
+    ServerHello = tls_handshake:decode_handshake({RecMajor, RecMinor}, 2, HelloBin),
+    case ServerHello of
+	#server_hello{server_version = {3,0}, cipher_suite = <<0,57>>} -> 
+	    ok;
+	_ ->
+	    ct:fail({unexpected_server_hello, ServerHello})
+    end.
+										
+%%--------------------------------------------------------------------
+
+dont_crash_on_handshake_garbage() ->
+    [{doc, "Ensure SSL server worker thows an alert on garbage during handshake "
+      "instead of crashing and exposing state to user code"}].
+
+dont_crash_on_handshake_garbage(Config) ->
+    ServerOpts = ?config(server_opts, Config),
+
+    {_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    unlink(Server), monitor(process, Server),
+    Port = ssl_test_lib:inet_port(Server),
+
+    {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {active, false}]),
+
+    % Send hello and garbage record
+    ok = gen_tcp:send(Socket,
+                      [<<22, 3,3, 49:16, 1, 45:24, 3,3, % client_hello
+                         16#deadbeef:256, % 32 'random' bytes = 256 bits
+                         0, 6:16, 0,255, 0,61, 0,57, 1, 0 >>, % some hello values
+
+                       <<22, 3,3, 5:16, 92,64,37,228,209>> % garbage
+                      ]),
+    % Send unexpected change_cipher_spec
+    ok = gen_tcp:send(Socket, <<20, 0,0,12, 111,40,244,7,137,224,16,109,197,110,249,152>>),
+
+    % Ensure we receive an alert, not sudden disconnect
+    {ok, <<21, _/binary>>} = drop_handshakes(Socket, 1000).
+
+drop_handshakes(Socket, Timeout) ->
+    {ok, <<RecType:8, _RecMajor:8, _RecMinor:8, RecLen:16>> = Header} = gen_tcp:recv(Socket, 5, Timeout),
+    {ok, <<Frag:RecLen/binary>>} = gen_tcp:recv(Socket, RecLen, Timeout),
+    case RecType of
+        22 -> drop_handshakes(Socket, Timeout);
+        _ -> {ok, <<Header/binary, Frag/binary>>}
+    end.
+
+
+%%--------------------------------------------------------------------
 
 hibernate() ->
     [{doc,"Check that an SSL connection that is started with option "
@@ -2957,6 +3104,57 @@ versions_option(Config) when is_list(Config) ->
 
 
 %%--------------------------------------------------------------------
+unordered_protocol_versions_server() ->
+    [{doc,"Test that the highest protocol is selected even" 
+      " when it is not first in the versions list."}].
+
+unordered_protocol_versions_server(Config) when is_list(Config) -> 
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {?MODULE, connection_info_result, []}},
+					{options, [{versions, ['tlsv1.1', 'tlsv1.2']} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {?MODULE, connection_info_result, []}},
+					{options, ClientOpts}]),
+    CipherSuite = first_rsa_suite(ssl:cipher_suites()),
+    ServerMsg = ClientMsg = {ok, {'tlsv1.2', CipherSuite}},    
+    ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg).
+
+%%--------------------------------------------------------------------
+unordered_protocol_versions_client() ->
+    [{doc,"Test that the highest protocol is selected even" 
+      " when it is not first in the versions list."}].
+
+unordered_protocol_versions_client(Config) when is_list(Config) -> 
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {?MODULE, connection_info_result, []}},
+					{options, ServerOpts }]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {?MODULE, connection_info_result, []}},
+					{options,  [{versions, ['tlsv1.1', 'tlsv1.2']} | ClientOpts]}]),
+ 
+    CipherSuite = first_rsa_suite(ssl:cipher_suites()),
+    ServerMsg = ClientMsg = {ok, {'tlsv1.2', CipherSuite}},    
+    ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg).
+  
+%%--------------------------------------------------------------------
 
 server_name_indication_option() ->
     [{doc,"Test API server_name_indication option to connect."}].
@@ -2994,6 +3192,53 @@ server_name_indication_option(Config) when is_list(Config) ->
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client0),
     ssl_test_lib:close(Client1).
+%%--------------------------------------------------------------------
+
+accept_pool() ->
+    [{doc,"Test having an accept pool."}].
+accept_pool(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server0 = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{accepters, 3},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server0),
+    [Server1, Server2] = ssl_test_lib:accepters(2),
+
+    Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					 {host, Hostname},
+					 {from, self()}, 
+					 {mfa, {ssl_test_lib, send_recv_result_active, []}},
+					 {options, ClientOpts}
+					]),
+    
+    Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					 {host, Hostname},
+					 {from, self()}, 
+					 {mfa, {ssl_test_lib, send_recv_result_active, []}},
+					 {options, ClientOpts}
+					]),
+    
+    Client2 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					 {host, Hostname},
+					 {from, self()}, 
+					 {mfa, {ssl_test_lib, send_recv_result_active, []}},
+					 {options, ClientOpts}
+					]),
+    
+    ssl_test_lib:check_ok([Server0, Server1, Server2, Client0, Client1, Client2]),
+    
+    ssl_test_lib:close(Server0),
+    ssl_test_lib:close(Server1),
+    ssl_test_lib:close(Server2),
+    ssl_test_lib:close(Client0),
+    ssl_test_lib:close(Client1),
+    ssl_test_lib:close(Client2).
+    
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
@@ -3454,7 +3699,7 @@ run_suites(Ciphers, Version, Config, Type) ->
 
     Result =  lists:map(fun(Cipher) ->
 				cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end,
-			Ciphers),
+			ssl_test_lib:filter_suites(Ciphers)),
     case lists:flatten(Result) of
 	[] ->
 	    ok;
@@ -3505,6 +3750,10 @@ cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
 connection_info_result(Socket) ->
     ssl:connection_info(Socket).
 
+version_info_result(Socket) ->
+    {ok, {Version, _}} = ssl:connection_info(Socket),
+    {ok, Version}.
+
 connect_dist_s(S) ->
     Msg = term_to_binary({erlang,term}),
     ok = ssl:send(S, Msg).
@@ -3582,3 +3831,22 @@ version_option_test(Config, Version) ->
     
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
+
+try_recv_active(Socket) ->
+    ssl:send(Socket, "Hello world"),
+    {error, einval} = ssl:recv(Socket, 11),
+    ok.
+try_recv_active_once(Socket) ->
+    {error, einval} = ssl:recv(Socket, 11),
+    ok.
+
+first_rsa_suite([{ecdhe_rsa, _, _} = Suite | _]) ->
+    Suite;
+first_rsa_suite([{dhe_rsa, _, _} = Suite| _]) ->
+    Suite;
+first_rsa_suite([{rsa, _, _} = Suite| _]) ->
+    Suite;
+first_rsa_suite([_ | Rest]) ->
+    first_rsa_suite(Rest).
+    
+
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 4eacf3adfc..bad0949ec4 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -48,8 +48,8 @@ all() ->
     ].
 
 groups() ->
-    [{basic, [], basic_tests()},
-     {v1_crl, [], v1_crl_tests()},
+    [{basic,   [], basic_tests()},
+     {v1_crl,  [], v1_crl_tests()},
      {idp_crl, [], idp_crl_tests()}].
 
 basic_tests() ->
@@ -72,8 +72,8 @@ init_per_suite(Config0) ->
 	_ ->
 	    TLSVersion = ?config(tls_version, Config0),
 	    OpenSSL_version = (catch os:cmd("openssl version")),
-	    ct:log("TLS version: ~p~nOpenSSL version: ~p~n~n~p:module_info(): ~p~n~nssh:module_info(): ~p~n",
-		   [TLSVersion, OpenSSL_version, ?MODULE, ?MODULE:module_info(), ssh:module_info()]),
+	    ct:log("TLS version: ~p~nOpenSSL version: ~p~n~n~p:module_info(): ~p~n~nssl:module_info(): ~p~n",
+		   [TLSVersion, OpenSSL_version, ?MODULE, ?MODULE:module_info(), ssl:module_info()]),
 	    case ssl_test_lib:enough_openssl_crl_support(OpenSSL_version) of
 		false ->
 		    {skip, io_lib:format("Bad openssl version: ~p",[OpenSSL_version])};
@@ -82,7 +82,13 @@ init_per_suite(Config0) ->
 		    try crypto:start() of
 			ok ->
 			    ssl:start(),
-			    [{watchdog, Dog}, {openssl_version,OpenSSL_version} | Config0]
+			    {ok, Hostname0} = inet:gethostname(),
+			    IPfamily =
+				case lists:member(list_to_atom(Hostname0), ct:get_config(ipv6_hosts,[])) of
+				    true -> inet6;
+				    false -> inet
+				end,
+			    [{ipfamily,IPfamily}, {watchdog, Dog}, {openssl_version,OpenSSL_version} | Config0]
 		    catch _C:_E ->
 			    ct:log("crypto:start() caught ~p:~p",[_C,_E]),
 			    {skip, "Crypto did not start"}
@@ -98,21 +104,23 @@ end_per_suite(_Config) ->
 %%% Group init/end
 
 init_per_group(Group, Config) ->
-    ct:log("~p:~p~nlisteners to port 8000:~n~p~n)",[?MODULE,?LINE,os:cmd("netstat -tln|grep ':8000'")]),
     ssl:start(),
     inets:start(),
     CertDir = filename:join(?config(priv_dir, Config), Group),
     DataDir = ?config(data_dir, Config),
     ServerRoot = make_dir_path([?config(priv_dir,Config), Group, tmp]),
-    Result =  make_certs:all(DataDir, CertDir, cert_opts(Group)),
-    ct:log("~p:~p~nmake_certs:all(~n DataDir=~p,~n CertDir=~p,~n ServerRoot=~p~n Opts=~p~n) returned ~p~n", [?MODULE,?LINE,DataDir, CertDir, ServerRoot, cert_opts(Group), Result]),
     %% start a HTTP server to serve the CRLs
-    {ok, Httpd} = inets:start(httpd, [{server_name, "localhost"}, {port, 8000},
+    {ok, Httpd} = inets:start(httpd, [{ipfamily, ?config(ipfamily,Config)},
+				      {server_name, "localhost"}, {port, 0},
 				      {server_root, ServerRoot},
 				      {document_root, CertDir},
 				      {modules, [mod_get]}
 				     ]),
-    ct:log("~p:~p~nlisteners to port 8000:~n~p~n)",[?MODULE,?LINE,os:cmd("netstat -tln|grep ':8000'")]),
+    [{port,Port}] = httpd:info(Httpd, [port]),
+    ct:log("~p:~p~nHTTPD IP family=~p, port=~p~n", [?MODULE, ?LINE, ?config(ipfamily,Config), Port]),
+    CertOpts =  [{crl_port,Port}|cert_opts(Group)],
+    Result =  make_certs:all(DataDir, CertDir, CertOpts),
+    ct:log("~p:~p~nmake_certs:all(~n DataDir=~p,~n CertDir=~p,~n ServerRoot=~p~n Opts=~p~n) returned ~p~n", [?MODULE,?LINE,DataDir, CertDir, ServerRoot, CertOpts, Result]),
     [{make_cert_result, Result}, {cert_dir, CertDir}, {httpd, Httpd} | Config].
 
 cert_opts(v1_crl)  -> [{v2_crls, false}];
@@ -134,7 +142,6 @@ end_per_group(_GroupName, Config) ->
 		,ct:log("Stopped",[])
     end,
     inets:stop(),
-    ct:log("~p:~p~nlisteners to port 8000:~n~p~n)",[?MODULE,?LINE,os:cmd("netstat -tln|grep ':8000'")]),
     Config.
 
 %%%================================================================
@@ -481,7 +488,6 @@ fetch([]) ->
     not_available;
 fetch([{uniformResourceIdentifier, "http"++_=URL}|Rest]) ->
     ct:log("~p:~p~ngetting CRL from ~p~n", [?MODULE,?LINE, URL]),
-    ct:log("~p:~p~nlisteners to port 8000:~n~p~n)",[?MODULE,?LINE,os:cmd("netstat -tln|grep ':8000'")]),
     case httpc:request(get, {URL, []}, [], [{body_format, binary}]) of
         {ok, {_Status, _Headers, Body}} ->
             case Body of
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 6d020c472b..5f36842f9e 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -26,6 +26,7 @@
 -include_lib("common_test/include/ct.hrl").
 -include("ssl_internal.hrl").
 -include("tls_handshake.hrl").
+-include_lib("public_key/include/public_key.hrl").
 
 %%--------------------------------------------------------------------
 %% Common Test interface functions -----------------------------------
@@ -36,7 +37,8 @@ all() -> [decode_hello_handshake,
 	  decode_single_hello_extension_correctly,
 	  decode_supported_elliptic_curves_hello_extension_correctly,
 	  decode_unknown_hello_extension_correctly,
-	  encode_single_hello_sni_extension_correctly].
+	  encode_single_hello_sni_extension_correctly,
+	  select_proper_tls_1_2_rsa_default_hashsign].
 
 %%--------------------------------------------------------------------
 %% Test Cases --------------------------------------------------------
@@ -95,3 +97,11 @@ encode_single_hello_sni_extension_correctly(_Config) ->
     HelloExt = <<ExtSize:16/unsigned-big-integer, SNI/binary>>,
     Encoded = ssl_handshake:encode_hello_extensions(Exts),
     HelloExt = Encoded.
+
+select_proper_tls_1_2_rsa_default_hashsign(_Config) ->
+    % RFC 5246 section 7.4.1.4.1 tells to use {sha1,rsa} as default signature_algorithm for RSA key exchanges
+    {sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,3}),
+    % Older versions use MD5/SHA1 combination
+    {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,2}),
+    {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,0}).
+
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 59f10d53a6..150b5037d7 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -67,7 +67,16 @@ run_server(Opts) ->
     run_server(ListenSocket, Opts).
 
 run_server(ListenSocket, Opts) ->
-    do_run_server(ListenSocket, connect(ListenSocket, Opts), Opts).
+    Accepters = proplists:get_value(accepters, Opts, 1),
+    run_server(ListenSocket, Opts, Accepters). 
+    
+run_server(ListenSocket, Opts, 1) ->
+    do_run_server(ListenSocket, connect(ListenSocket, Opts), Opts);
+run_server(ListenSocket, Opts, N) ->
+    Pid = proplists:get_value(from, Opts),
+    Server = spawn(?MODULE, run_server, [ListenSocket, Opts, 1]),
+    Pid ! {accepter, N, Server},
+    run_server(ListenSocket, Opts, N-1).
 
 do_run_server(_, {error, timeout} = Result, Opts)  ->
     Pid = proplists:get_value(from, Opts),
@@ -106,7 +115,7 @@ connect(#sslsocket{} = ListenSocket, Opts) ->
     Node = proplists:get_value(node, Opts),
     ReconnectTimes =  proplists:get_value(reconnect_times, Opts, 0),
     Timeout = proplists:get_value(timeout, Opts, infinity),
-    SslOpts = proplists:get_value(ssl_opts, Opts, []),
+    SslOpts = proplists:get_value(ssl_extra_opts, Opts, []),
     AcceptSocket = connect(ListenSocket, Node, 1 + ReconnectTimes, dummy, Timeout, SslOpts),
     case ReconnectTimes of
 	0 ->
@@ -177,10 +186,7 @@ run_client(Opts) ->
     Pid = proplists:get_value(from, Opts),
     Transport =  proplists:get_value(transport, Opts, ssl),
     Options = proplists:get_value(options, Opts),
-    ct:log("~p:~p~nssl:connect(~p, ~p, ~p)~n", [?MODULE,?LINE, Host, Port, Options]),
-ct:log("~p:~p~nnet_adm:ping(~p)=~p",[?MODULE,?LINE, Node,net_adm:ping(Node)]),
-%%ct:log("~p:~p~n~p:connect(~p, ~p, ~p)@~p~n", [?MODULE,?LINE, Transport, Host, Port, Options, Node]),
-ct:log("~p:~p~n~p:connect(~p, ~p, ...)@~p~n", [?MODULE,?LINE, Transport, Host, Port, Node]),
+    ct:log("~p:~p~n~p:connect(~p, ~p)@~p~n", [?MODULE,?LINE, Transport, Host, Port, Node]),
     case rpc:call(Node, Transport, connect, [Host, Port, Options]) of
 	{ok, Socket} ->
 	    Pid ! {connected, Socket},
@@ -290,7 +296,16 @@ wait_for_result(Server, ServerMsg, Client, ClientMsg) ->
 	%%     Unexpected
     end.
 
-
+check_ok([]) ->
+    ok;
+check_ok(Pids) ->
+    receive 
+	{Pid, ok} ->
+	    check_ok(lists:delete(Pid, Pids));
+	Other ->
+	    ct:fail({expected, {"pid()", ok}, got, Other})
+    end.
+	
 wait_for_result(Pid, Msg) -> 
     receive 
 	{Pid, Msg} -> 
@@ -679,6 +694,17 @@ run_client_error(Opts) ->
     Error = rpc:call(Node, Transport, connect, [Host, Port, Options]),
     Pid ! {self(), Error}.
 
+accepters(N) ->
+    accepters([], N).
+
+accepters(Acc, 0) ->
+    Acc;
+accepters(Acc, N) ->
+    receive 
+	{accepter, _, Server} ->
+	    accepters([Server| Acc], N-1)
+    end.
+
 inet_port(Pid) when is_pid(Pid)->
     receive
 	{Pid, {port, Port}} ->
@@ -846,25 +872,34 @@ psk_suites() ->
 	 {psk, '3des_ede_cbc', sha},
 	 {psk, aes_128_cbc, sha},
 	 {psk, aes_256_cbc, sha},
+	 {psk, aes_128_cbc, sha256},
+	 {psk, aes_256_cbc, sha384},
 	 {dhe_psk, rc4_128, sha},
 	 {dhe_psk, '3des_ede_cbc', sha},
 	 {dhe_psk, aes_128_cbc, sha},
 	 {dhe_psk, aes_256_cbc, sha},
+	 {dhe_psk, aes_128_cbc, sha256},
+	 {dhe_psk, aes_256_cbc, sha384},
 	 {rsa_psk, rc4_128, sha},
 	 {rsa_psk, '3des_ede_cbc', sha},
 	 {rsa_psk, aes_128_cbc, sha},
-	 {rsa_psk, aes_256_cbc, sha}],
+	 {rsa_psk, aes_256_cbc, sha},
+	 {rsa_psk, aes_128_cbc, sha256},
+	 {rsa_psk, aes_256_cbc, sha384}
+],
     ssl_cipher:filter_suites(Suites).
 
 psk_anon_suites() ->
-    [{psk, rc4_128, sha},
-     {psk, '3des_ede_cbc', sha},
-     {psk, aes_128_cbc, sha},
-     {psk, aes_256_cbc, sha},
-     {dhe_psk, rc4_128, sha},
-     {dhe_psk, '3des_ede_cbc', sha},
-     {dhe_psk, aes_128_cbc, sha},
-     {dhe_psk, aes_256_cbc, sha}].
+    Suites =
+	[{psk, rc4_128, sha},
+	 {psk, '3des_ede_cbc', sha},
+	 {psk, aes_128_cbc, sha},
+	 {psk, aes_256_cbc, sha},
+	 {dhe_psk, rc4_128, sha},
+	 {dhe_psk, '3des_ede_cbc', sha},
+	 {dhe_psk, aes_128_cbc, sha},
+	 {dhe_psk, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_suites() ->
     Suites =
@@ -877,9 +912,11 @@ srp_suites() ->
     ssl_cipher:filter_suites(Suites).
 
 srp_anon_suites() ->
-    [{srp_anon, '3des_ede_cbc', sha},
-     {srp_anon, aes_128_cbc, sha},
-     {srp_anon, aes_256_cbc, sha}].
+    Suites =
+	[{srp_anon, '3des_ede_cbc', sha},
+	 {srp_anon, aes_128_cbc, sha},
+	 {srp_anon, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_dss_suites() ->
     Suites =
@@ -1089,3 +1126,13 @@ version_flag('tlsv1.2') ->
     " -tls1_2 ";
 version_flag(sslv3) ->
     " -ssl3 ".
+
+filter_suites(Ciphers0) ->
+    Version = tls_record:highest_protocol_version([]),
+    Supported0 = ssl_cipher:suites(Version)
+	++ ssl_cipher:anonymous_suites()
+	++ ssl_cipher:psk_suites(Version)
+	++ ssl_cipher:srp_suites(),
+    Supported1 = ssl_cipher:filter_suites(Supported0),
+    Supported2 = [ssl:suite_definition(S) || S <- Supported1],
+    [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported2)].
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index a7361755e5..d36e441c7a 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -1341,7 +1341,7 @@ check_sane_openssl_renegotaite(Config, Version) when Version == 'tlsv1.1';
 	    {skip, "Known renegotiation bug in OpenSSL"};
 	"OpenSSL 1.0.1a" ++ _ ->
 	    {skip, "Known renegotiation bug in OpenSSL"};
-	"OpenSSL 1.0.1" ++ _ ->
+	"OpenSSL 1.0.1 " ++ _ ->
 	    {skip, "Known renegotiation bug in OpenSSL"};
 	_ ->
 	    check_sane_openssl_renegotaite(Config)